b'Department of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\nCMS AND ITS CONTRACTORS HAVE\nADOPTED FEW PROGRAM INTEGRITY\n    PRACTICES TO ADDRESS\n   VULNERABILITIES IN EHRS\n\n\n\n\n                    Daniel R. Levinson\n                     Inspector General\n\n                      January 2014\n                     OEI-01-11-00571\n\x0cEXECUTIVE SUMMARY: CMS AND ITS CONTRACTORS HAVE ADOPTED\nFEW PROGRAM INTEGRITY PRACTICES TO ADDRESS VULNERABILITIES\nIN EHRS\nOEI-01-11-00571\n\nWHY WE DID THIS STUDY\nElectronic health records (EHRs) replace traditional paper medical records with\ncomputerized recordkeeping to document and store patient health information. Experts in\nhealth information technology caution that EHR technology can make it easier to commit\nfraud. For example, certain EHR technology features may be used to mask true\nauthorship of the medical record and distort information to inflate health care claims.\nThe transition from paper records to EHRs may present new vulnerabilities and require\nthe Centers for Medicare & Medicaid Services (CMS) and its contractors to adjust their\ntechniques for identifying improper payments and investigating fraud.\n\nHOW WE DID THIS STUDY\nWe sent an online questionnaire to CMS administrative and program integrity contractors\nthat use EHRs to pay claims, identify improper Medicare payments, and investigate\nfraud. We also reviewed guidance documents and policies on EHRs and fraud\nvulnerabilities that CMS and its contractors released for health care providers. Lastly, we\nreviewed documents on EHRs and Medicare claims that CMS provided to its contractors.\n\nWHAT WE FOUND\nCMS and its contractors had adopted few program integrity practices specific to EHRs.\nSpecifically, few contractors were reviewing EHRs differently from paper medical\nrecords. In addition, not all contractors reported being able to determine whether a\nprovider had copied language or overdocumented in a medical record. Finally, CMS had\nprovided limited guidance to Medicare contractors on EHR fraud vulnerabilities.\n\nWHAT WE RECOMMEND\nAlthough EHR technology may make it easier to perpetrate fraud, CMS and its\ncontractors have not adjusted their practices for identifying and investigating fraud in\nEHRs. Our report made two recommendations. First, CMS should provide guidance to\nits contractors on detecting fraud associated with EHRs. CMS could work with\ncontractors to identify best practices and develop guidance and tools for detecting fraud\nassociated with EHRs. Second, CMS should direct its contractors to use providers\xe2\x80\x99 audit\nlogs. Audit log data distinguish EHRs from paper medical records and could be valuable\nto CMS\xe2\x80\x99s contractors when reviewing medical records. CMS concurred with our first\nrecommendation and partially concurred with our second recommendation.\n\x0cTABLE OF CONTENTS\n\nObjective ......................................................................................................1 \n\nBackground ..................................................................................................1 \n\nMethodology ................................................................................................4 \n\nFindings........................................................................................................6 \n\n           CMS and its contractors had adopted few program integrity \n\n           practices specific to EHRs ...............................................................6 \n\n           CMS had provided limited guidance to its contractors on fraud \n\n           vulnerabilities in EHRs ....................................................................8 \n\nConclusion and Recommendations ..............................................................9 \n\n\n     Agency comments and Office of Inspector General response .............10 \n\n\n\nAppendix....................................................................................................11\n\n     A: Agency Comments .........................................................................11\n\nAcknowledgments......................................................................................13 \n\n\x0c                   OBJECTIVE\n                   To describe how the Centers for Medicare & Medicaid Services (CMS)\n                   and its contractors implemented program integrity practices in light of\n                   electronic health records (EHRs) adoption.\n\n                   BACKGROUND\n                   Electronic Health Records\n                   EHRs replace traditional paper medical records with computerized\n                   recordkeeping to document and store patient health information. EHRs\n                   may include patient demographics, progress notes, medications, medical\n                   history, and clinical test results from any health care encounter.1\n                   EHRs may create new vulnerabilities, requiring CMS and its contractors\n                   to revise their approaches to protect against fraud and abuse. For example,\n                   clues within the progress notes, handwriting styles, and other attributes\n                   that help corroborate the authenticity of paper medical records are largely\n                   absent in EHRs. Further, tracing authorship and documentation in an EHR\n                   may not be as straightforward as tracing in a paper record. Health care\n                   providers can use EHR software features that may mask true authorship of\n                   the medical record and distort information in the record to inflate health\n                   care claims.\n                   CMS and Fraud Detection With EHRs\n                   CMS uses administrative and program integrity contractors to pay claims,\n                   identify improper Medicare payments, and investigate fraud. These\n                   contractors include Medicare Administrative Contractors (MACs), Zone\n                   Program Integrity Contractors (ZPICs), and Recovery Audit Contractors\n                   (RACs).\n                   MACs. MACs are responsible primarily for processing and paying\n                   Medicare claims.2 MACs collaborate with CMS and other contractors to\n                   ensure that they pay claims correctly. MACs also educate providers on\n                   appropriate billing methods and are responsible for detecting and deterring\n                   fraud.\n                   ZPICs. ZPICs are responsible primarily for detecting and deterring\n                   Medicare fraud.3 ZPICs investigate providers that have filed potentially\n                   fraudulent claims by a variety of methods, including prepayment and\n\n                   1\n                     CMS, Electronic Health Records Overview. Accessed at http://www.cms.gov on Jan.\n                   11, 2011.\n\n                   2\n                     CMS, Part A and Part B Medicare Administrative Contractor Statement of Work,\n\n                   Attachment H-1, Master, \xc2\xa7 C.4.4.a, September 2011.\n\n                   3\n                     CMS, ZPIC IDIQ Umbrella Statement of Work, \xc2\xa7 1.1.4, May 2009; CMS, Medicare\n                   Program Integrity Manual, Pub. No. 100-08, ch. 4, \xc2\xa7 4.2.2.\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   1\n\x0c                   postpayment reviews and onsite audits. They may also recommend that\n                   CMS or MACs revoke the billing privileges of providers.\n                   RACs. RACs are responsible primarily for identifying and reducing\n                   Medicare improper payments by detecting and recouping improper\n                   payments made on claims of Medicare services.4\n                   MACs, ZPICs, and RACs rely on medical records in aspects of their\n                   program integrity work. The transition from paper records to EHRs may\n                   require these contractors to adjust their techniques for identifying\n                   improper payments and investigating fraud.\n                   Ways EHRs May Facilitate Fraud\n                   The full extent of health care fraud is unknown but it is substantial. The\n                   cost of health care fraud is between $75 billion and $250 billion. These\n                   figures are based on CMS estimates of total health care expenditures in\n                   2009.5 Experts in health information technology caution that EHR\n                   technology can make it easier to commit fraud.6 Certain EHR\n                   documentation features, if poorly designed or used inappropriately, can\n                   result in poor data quality or fraud. Below we describe two examples of\n                   EHR documentation practices that could be used to commit fraud.\n                   Copy-Pasting. Copy-pasting, also known as cloning, enables users to\n                   select information from one source and replicate it in another location.7\n                   When doctors, nurses, or other clinicians copy-paste information but fail\n                   to update it or ensure accuracy, inaccurate information may enter the\n                   patient\xe2\x80\x99s medical record and inappropriate charges may be billed to\n                   patients and third-party health care payers. Furthermore, inappropriate\n                   copy-pasting could facilitate attempts to inflate claims and duplicate or\n                   create fraudulent claims.\n                   Overdocumentation. Overdocumentation is the practice of inserting false\n                   or irrelevant documentation to create the appearance of support for billing\n                   higher level services. Some EHR technologies auto-populate fields when\n                   using templates built into the system. Other systems generate extensive\n                   documentation on the basis of a single click of a checkbox, which if not\n                   appropriately edited by the provider may be inaccurate. Such features can\n\n\n                   4\n                     CMS, Medicare Program Integrity Manual, Pub. No. 100-08, ch.1, \xc2\xa7 1.3.1\n                   5\n                     CMS, National Health Expenditure Data. Accessed at http://www.cms.gov on Jan. 3,\n\n                   2012. \n\n                   6\n                     Dougherty, Michelle. HIT Policy Committee Hearing on Clinical Documentation, \n\n                   February 13, 2013. Accessed at http://www.healthit.gov on March 19, 2013. \n\n                   7\n                     Association of American Medical Colleges, Compliance Officers\xe2\x80\x99 Forum. Appropriate \n\n                   Documentation in an EHR: Use of Information That Is Not Generated During the \n\n                   Encounter for Which the Claim Is Submitted: Copying/Importing/Scripts/Templates. July \n\n                   11, 2001.\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   2\n\x0c                   produce information suggesting the practitioner performed more\n                   comprehensive services than were actually rendered.8\n                   Ways EHRs May Safeguard Against Fraud\n                   Usage policies and technology features, if used consistently, could help\n                   prevent EHR fraud. However, providers that use EHR technology can\n                   often disable or bypass these features, making them ineffective. The\n                   Office of the National Coordinator for Health Information Technology\n                   (ONC), the office that coordinates the adoption, implementation, and\n                   exchange of EHRs, contracted with RTI International to develop\n                   recommended requirements for enhancing data quality in EHRs. Included\n                   in those recommendations are audit logs; access controls, including\n                   passwords; and export controls that restrict transferring information. The\n                   RTI recommendations highlight the importance of audit logs in fraud\n                   detection in that one-third of the individual criteria focus on the functions\n                   and features of audit logs.\n                   Audit logs track changes within a record chronologically by capturing data\n                   elements, such as date, time, and user stamps, for each update to an EHR.\n                   An audit log can be used to analyze historical patterns that can identify\n                   data inconsistencies. To provide the most benefit in fraud protection, audit\n                   logs should always be operational, be stored as long as clinical records,\n                   and never be altered.\n                   Health Information Technology for Economic and Clinical\n                   Health Act\n                   The Health Information Technology for Economic and Clinical Health Act\n                   was enacted as part of the American Recovery and Reinvestment Act of\n                   2009 (ARRA), to support the development of a nationwide health\n                   information technology infrastructure that allows for the electronic use\n                   and exchange of information.9 Its goal is to achieve widespread adoption\n                   of EHRs by 2014.\n                   To encourage EHR adoption, ARRA established the Medicare and\n                   Medicaid EHR incentive programs.10 CMS will pay over $22.5 billion in\n                   incentive payments to eligible professionals and hospitals that demonstrate\n                   meaningful use of certified EHR technology. Medicare professionals and\n                   hospitals will face payment adjustments under Medicare starting in 2015\n\n\n\n\n                   8\n                     Dougherty, Michelle. HIT Policy Committee Hearing on Clinical Documentation, \n\n                   February 13, 2013. Accessed at http://www.healthit.gov on March 19, 2013. \n\n                   9\n                     P.L. 111-5, Title XIII.\n\n                   10\n                      ARRA, Title IV, Pub L. 111-5.\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   3\n\x0c                   for failing to successfully demonstrate meaningful use of certified EHR\n                   technology.11\n                   Related Office of Inspector General Work\n                   The Office of Inspector General (OIG) released a companion report to this\n                   review that assessed the extent to which hospitals that have received EHR\n                   incentive payments implemented recommended fraud safeguards for EHR\n                   technology.12\n                   In 2012, OIG released a report on physicians\xe2\x80\x99 reported use of EHR\n                   technology that found that 57 percent of Medicare physicians used an\n                   EHR at their primary practice locations in 2011. Additionally, three of\n                   every four Medicare physicians with an EHR system used a certified\n                   system to document evaluation and management services. 13 OIG is\n                   currently determining the extent to which documentation errors were\n                   facilitated by using EHR technology.14\n                   In 2012, OIG released a study that found that CMS faces obstacles to\n                   overseeing the Medicare EHR incentive program that leave the program\n                   vulnerable to paying incentives to professionals and hospitals that do not\n                   fully meet the meaningful use requirements.15\n                   In 2011, OIG released an audit of information technology (IT) controls in\n                   health IT standards. OIG found that ONC EHR certification criteria\n                   focused on IT security application controls for communication between\n                   EHR systems, but did not include basic, general IT security controls.16\n\n                   METHODOLOGY\n                   SCOPE\n                   This study determined the extent to which the CMS administrative and\n                   program integrity contractors have adjusted program integrity efforts in\n                   light of EHR adoption.\n\n\n\n                   11\n                      See \xc2\xa7\xc2\xa7 1848(a)(7), 1853(l)(4), and 1886 (b)(3)(B), as enacted in ARRA. See also\n                   CMS, CMS Finalizes Requirements for the Medicare EHR Incentive Program. Accessed\n                   at http://www.cms.gov on Jan. 3, 2012.\n                   12\n                      OIG, Not All Recommended Safeguards Have Been Implemented in Hospital EHR\n                   Technology, OEI-01-11-00570, December 2013. \n\n                   13\n                      OIG, Use of Electronic Health Record Systems in 2011 Among Medicare Physicians\n\n                   Providing Evaluation and Management Services, OEI-04-10-00184, June 2012. \n\n                   14\n                      OIG, OEI-04-10-00182, in progress.\n                   15\n                      OIG, Early Assessment Finds That CMS Faces Obstacles in Overseeing the Medicare\n                   EHR Incentive Program, OEI-05-11-00250, November 2012.\n                   16\n                      OIG, Audit of Information Technology Security Included in Health Information\n                   Technology Standards, A-18-09-30160, May 2011.\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   4\n\x0c                   Data Sources\n                   CMS Contractor Questionnaires: We administered online questionnaires\n                   in January 2013 to three types of CMS administrative and program\n                   integrity contractors that use EHRs to pay claims, identify improper\n                   Medicare payments, and investigate fraud. We sent questionnaires to eight\n                   MACs, six ZPICs, and four RACs.17 The questionnaires asked about their\n                   policies, procedures, and experiences with EHR fraud and Medicare\n                   claims. We asked about any procedures or review practices specific to\n                   EHRs. We had a 100-percent response rate.\n                   Document Review: We reviewed guidance documents and policies on\n                   EHRs and fraud vulnerabilities that CMS and its contractors released for\n                   health care providers. We also reviewed CMS transmittals of new or\n                   changed policies and procedures relating to EHRs.\n                   Limitations\n                   Our analysis used self-reported data from CMS contractors. We did not\n                   independently verify their statements.\n                   Standards\n                   This study was conducted in accordance with the Quality Standards for\n                   Inspection and Evaluation issued by the Council of the Inspectors General\n                   on Integrity and Efficiency.\n\n\n\n\n                   17\n                     Given that some of the contractors were transitioning both in and out of service, we\n                   consulted with CMS about which contractors we should contact for our study; therefore,\n                   the number of contractors that we contacted does not match the number currently\n                   operating.\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   5\n\x0c                   FINDINGS\n                   CMS and its contractors had adopted few program\n                   integrity practices specific to EHRs\n                   Although EHR technology may make it easier to perpetrate fraud, CMS\n                   and its contractors have not adjusted their practices for identifying and\n                   investigating fraud in EHRs.\n\n                   Few contractors were reviewing EHRs differently from paper\n                   medical records\n                   Although additional reviews are not required by CMS, two MACs and two\n                   ZPICs reported that they conduct them for EHRs beyond what they do for\n                   paper medical records. For example, the MACs reported that they confirm\n                   electronic signatures and request the providers\xe2\x80\x99 EHR protocols. The\n                   ZPICs reported that they request information about the providers\xe2\x80\x99 EHR\n                   technology and question the providers about their ability to access and\n                   alter the EHR data. (See Table 1.)\n\n                   Table 1: Number of CMS Contractors That Reported Conducting Additional\n                   Review Procedures\n                                                 Conduct Additional\n                         Contractor                                          Use Audit Log data\n                                                      Review\n                         MAC                                   2 out of 8                 1 out of 8\n\n                         RAC                                   0 out of 4                 1 out of 4\n\n                         ZPIC                                  2 out of 6                 1 out of 6\n\n                                                                                          .\n                      Source: OIG analysis of contractors\xe2\x80\x99 responses to questionnaire, 2013\n\n\n\n\n                   Audit log data are unique to EHRs. They distinguish EHRs from paper\n                   records and could be valuable in authenticating the medical record that\n                   supports a claim. However, only 3 of the 18 Medicare contractors\n                   reported using audit log data as part of their reviews or investigative\n                   processes. For example, one contractor reported that it had used the audit\n                   log to verify that the provider had not changed the medical record after the\n                   date of care. Another contractor reviewed the audit log to validate\n                   authenticity of entries made in the medical record.\n\n\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   6\n\x0c                   Not all contractors reported being able to determine whether a\n                   provider had copied language or overdocumented in a medical\n                   record\n                   MACs, ZPICs, and RACs reported varying ability to identify copied\n                   language and overdocumentation in both EHRs and paper medical\n                   records; however, ZPICs most often reported being able to identify such\n                   instances. (See Table 2.) Generally, more contractors reported being able\n                   to identify overdocumentation compared to copied language.\n                   Overdocumentation may be easier to identify because it is evident within\n                   the supporting medical record for a single claim. Contractors are unlikely\n                   to identify copied language in a single claim because it may require a\n                   single reviewer to examine multiple claims from a single patient or\n                   provider for evidence of copied language. ZPICs may be more successful\n                   at identifying potentially inappropriate practices because their primary\n                   objective is to target fraud and they are more likely to look at multiple\n                   claims as compared to other contractors. In addition, the other contractors\n                   refer instances of suspected fraud to ZPICs.\n                   Opportunities for a provider to inappropriately copy-paste language and\n                   overdocument in a medical record for higher payment exist in paper\n                   medical records as well as EHRs. However, features in EHR technology\n                   make it easier for providers to copy-paste and overdocument in EHRs.\n\n         Table 2: Number of CMS Contractors That Reported Being Able To Identify Copied\n         Language and Overdocumentation\n\n                                       Copied Language                              Overdocumentation\n\n           Type of                                  Paper Medical                               Paper Medical\n                                   EHR                                           EHR\n           Contractor                                  Record                                      Record\n           MAC                      4 out of 8              4 out of 8             6 out of 8         5 out of 8\n\n           ZPIC                     3 out of 6              6 out of 6             6 out of 6         6 out of 6\n\n           RAC                      2 out of 4              1 out of 4             3 out of 4         3 out of 4\n\n                                                                                       .\n                   Source: OIG analysis of contractors\xe2\x80\x99 responses to questionnaire, 2013\n\n                   Among those contractors that could identify copied language and\n                   overdocumentation, not all reported taking followup actions after\n                   identifying these practices in both EHRs and paper medical records.\n                   Although all six ZPICs reported taking action after identifying copied\n                   language and overdocumentation, not all MACs and RACs did. Four\n                   MACs reported they referred the claims to the ZPICs; educated providers\n                   about proper documentation; and took administrative action, such as\n                   denial of payment. The two RACs that reported taking action sought\n                   further direction from CMS. About half of the ZPICs took administrative\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)            7\n\x0c                    action, such as overpayment adjustments, referrals to law enforcement, or\n                    referrals to CMS for payment suspension. The other ZPICs conducted\n                    additional interviews, additional physician reviews, or site visits.\n\n                    CMS had provided limited guidance to its contractors\n                    on fraud vulnerabilities in EHRs\n                    Contractors reported receiving limited guidance from CMS in the past\n                    2 years about fraud vulnerabilities, such as copied language,\n                    overdocumentation, and electronic signatures. (See Table 3.) Although\n                    MACs and RACs received guidance, ZPICs unanimously responded that\n                    CMS did not provide them with any. CMS did issue guidance to the\n                    contractors that states that \xe2\x80\x9cmedical record keeping within an EHR\n                    deserves special considerations\xe2\x80\x9d and that \xe2\x80\x9cthe original content, the\n                    modified content, and the date and authorship\xe2\x80\x9d must be identifiable.\n                    However, this guidance provides few details, and contractors described to\n                    OIG areas related to EHRs that require additional guidance.18 Contractors\n                    noted proxy and electronic signatures (three MACs), EHR documentation\n                    (four MACs), and CMS\xe2\x80\x99s Electronic Submission of Medical\n                    Documentation Program (two ZPICs) as areas related to EHRs that they\n                    believe require additional CMS guidance.\n\n\n         Table 3: Number of Contractors That Reported Receiving Guidance From CMS\n         Related to EHRs\n\n         CMS Guidance                                   MAC                           RAC          ZPIC\n\n\n         Copied language                           0 out of 8                     2 out of 4   0 out of 6\n\n         Overdocumentation                         1 out of 8                     1 out of 4   0 out of 6\n\n\n\n         Electronic signatures                     6 out of 8                     3 out of 4   0 out of 6\n\n\n\n         Other EHR-related\n                                                   2 out of 8                     1 out of 4   0 out of 6\n         guidance\n\n\n         Source: OIG analysis of contractors\xe2\x80\x99 responses to questionnaire, 2013.\n\n\n\n\n                    18\n                       CMS Manual System, Pub. No. 100-08, Medicare Program Integrity, Transmittal 442.\n                    December 7, 2012.\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)     8\n\x0c                   CONCLUSION AND RECOMMENDATIONS\n                   The Department of Health and Human Services has spent considerable\n                   resources to promote widespread adoption of EHRs, including developing\n                   certification criteria and defining meaningful use for EHR technology\n                   while paying over $22.5 billion in incentive payments. It has directed less\n                   attention to addressing potential fraud and abuse vulnerabilities in EHRs\n                   despite the challenges they pose to the integrity of medical records.\n                   Our findings show that CMS and its contractors have not changed their\n                   program integrity strategies in light of EHR adoption. Some CMS\n                   contractors reported that they were unable to identify copied language and\n                   overdocumentation in a medical record. This is a particular concern with\n                   EHRs because such documentation practices are made easier in an\n                   electronic environment. In addition, few CMS contractors have adopted\n                   additional review procedures for EHRs. Finally, CMS has offered limited\n                   guidance to CMS contractors on fraud vulnerabilities.\n                   We recommend that CMS:\n                   Provide guidance to its contractors on detecting fraud\n                   associated with EHRs\n                   Although CMS has communicated to contractors through manuals that\n                   \xe2\x80\x9cmedical record keeping within an EHR deserves special considerations\xe2\x80\x9d\n                   and that \xe2\x80\x9cthe original content, the modified content, and the date and\n                   authorship\xe2\x80\x9d must be identifiable, it has provided contractors with limited\n                   guidance regarding the review of EHR-based claims. CMS could work\n                   with contractors to identify best practices and develop guidance and tools\n                   for detecting fraud associated with EHRs. Specific guidance should\n                   address EHR documentation and electronic signatures in EHRs.\n                   Direct its contractors to use providers\xe2\x80\x99 audit logs\n                   Audit log data are unique to EHRs and distinguish EHRs from paper\n                   medical records. Audit logs could be a source of information for CMS\xe2\x80\x99s\n                   contractors when reviewing medical records. Audit log data could be\n                   valuable in authenticating the medical record that supports a claim.\n\n\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   9\n\x0c                   AGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\n                   RESPONSE\n                   CMS concurred with our first recommendation and partially concurred\n                   with our second recommendation.\n                   To address our recommendation that CMS provide guidance to its\n                   contractors on detecting fraud associated with EHRs, CMS stated that\n                   intends to develop guidance on the appropriate use of the copy-paste\n                   feature in EHRs. It also stated that it will work with its contractors to\n                   identify best practices for detecting fraud associated with EHRs. Our\n                   recommendation referenced guidance specific to EHR documentation and\n                   electronic signatures in EHRs. We ask CMS to address guidance on these\n                   issues in its final management decision.\n                   In response to our second recommendation, that CMS direct its contractors\n                   to use audit logs, CMS acknowledged that audit logs can be one of several\n                   tools to ensure the accuracy and validity of information in EHRs. It also\n                   stated that the use of audit logs may not be appropriate in every\n                   circumstance and that review of audit logs requires special training. CMS\n                   stated that it is working with its contractors, EHR experts, and ONC-\n                   sponsored workgroups to consider issues presented by digital clinical data,\n                   including determining the authenticity of information in EHRs. We agree\n                   that audit logs should be part of a comprehensive approach to reviewing\n                   authenticity of EHRs and understand the challenges that CMS and its\n                   contractors face to use audit logs. We reiterate our recommendation that\n                   CMS make audit logs part of its contractors\xe2\x80\x99 reviews of EHRs.\n                   For a full text of CMS\xe2\x80\x99s comments, see Appendix A.\n\n\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   10\n\x0c                   APPENDIX A\n                   Agency Comments\n\n\n\n          ("\'\'"~ \t      DEPARTMENT OF HEALTH & HUMAN SERVICES                                        Centers lor Modicare & Mcdtcald Sarvices\n\n          \\.:S\\f-                                                                                    Administrator\n                                                                                                     Washington, DC 20201\n\n\n\n\n                       DATE:            NOV ZZ 2013\n\n                       TO: \t          Daniel R. Levinson \n\n                                      Inspector General \n\n\n                       FROM: \t        Marilyn Tavenner \n\n                                                           /S/\n                                      Administrator \n\n\n                       SUBJI\':Cf: \t Office of Inspector General (OIU) Draft Report: "C\'MS and Its Contractors !\xc2\xb7lave\n                                    Adopted Few Program Integrity Practices to Address Vulnerabilities in EHRs\'\'\n                                    tOEI-01-11-00571)\n\n\n                       The Centers for Medicare & Medicaid Services (CMS) appreciates the opportunity to review and\n                       comment on the above-referenced OTG draft report. The purpose of this report is to describe\n                       how CMS and its comractors implemented program integrity practices in light of electronic\n                       health records (EHRs) adoption.\n\n                       The CMS is committed to preventing fraud, waste, and abuse in EHRs. CMS has issued\n                       guidance to its contractors that states that "medical record keeping wi thin an EHR deserves\n                       special considerations" and that "the original content, the modified content, and the date and\n                       authorship" must be identifiable (hJI~ : I/www.cm s. gov/reg ul atigns-and\n                       guidancc/_g.uidancc/t ransl:!!i!.!als/dJl~lll9.!!Q\xc2\xa7Lr442pi.pdf.). However. CMS realizes that additional\n                       guidance is needed and intends to work with its contractors in the development of effective\n                       guidance and tools in an efTon to detect fraud vulnerabilities in the area of EHRs.\n\n                       Our response to each of the OlG recommendations follows.\n\n                       OIG Recommendation:\n\n                       CMS should provide guidance to its contractors on detecting fraud associated with EHRs.\n\n                       CMS Response;\n\n                       The CMS concurs with this recommendation. CMS has been actively considering the issue of\n                       preventing fraud , waste. and abuse in Ef!Rs . In May 2013. CMS and ONC held a public\n                       listening session with stakeholders about a number of issues pertaining to billing and coding for\n                       EHRs, including the impact of EHRs on clinical documentation. Given its potential for use in\n                       fraud. CMS intends to develop appropriate guidelines to ensure appropriate use of the copy pa~te\n                       feature in EHRs. CMS will also consider v.ilether additional guidance and tools are needed to\n\n\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11 -00571)                            11\n\x0cCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   12\n\x0c                   ACKNOWLEDGMENTS\n                   This report was prepared under the direction of Joyce Greenleaf, Regional\n                   Inspector General for Evaluation and Inspections in the Boston regional\n                   office; Kenneth Price, Deputy Regional Inspector General; and Russell\n                   Hereford, Deputy Regional Inspector General.\n                   Danielle Fletcher served as the team leader for this study. Other Office of\n                   Evaluation and Inspections staff from the Boston regional office who\n                   conducted the study include Kimberly Yates. Central office staff who\n                   provided support include Kevin Manley and Clarence Arnold.\n\n\n\n\nCMS and Its Contractors Have Adopted Few Practices To Address Vulnerabilities in EHRs (OEI-01-11-00571)   13\n\x0c                Office of Inspector General\n                                 http://oig.hhs.gov\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services\n(HHS) programs, as well as the health and welfare of beneficiaries served by those\nprograms. This statutory mission is carried out through a nationwide network of audits,\ninvestigations, and inspections conducted by the following operating components:\n\nOffice of Audit Services\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits\nexamine the performance of HHS programs and/or its grantees and contractors in carrying\nout their respective responsibilities and are intended to provide independent assessments of\nHHS programs and operations. These assessments help reduce waste, abuse, and\nmismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide\nHHS, Congress, and the public with timely, useful, and reliable information on significant\nissues. These evaluations focus on preventing fraud, waste, or abuse and promoting\neconomy, efficiency, and effectiveness of departmental programs. To promote impact, OEI\nreports also present practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations\nof fraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources\nby actively coordinating with the Department of Justice and other Federal, State, and local\nlaw enforcement authorities. The investigative efforts of OI often lead to criminal\nconvictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to\nOIG, rendering advice and opinions on HHS programs and operations and providing all\nlegal support for OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and\nadministrative fraud and abuse cases involving HHS programs, including False Claims Act,\nprogram exclusion, and civil monetary penalty cases. In connection with these cases, OCIG\nalso negotiates and monitors corporate integrity agreements. OCIG renders advisory\nopinions, issues compliance program guidance, publishes fraud alerts, and provides other\nguidance to the health care industry concerning the anti-kickback statute and other OIG\nenforcement authorities.\n\x0c'